Non-NAP Capable computers receiving full network access using DHCP enforcement
- I have it set up so non-nap capable computers have restricted access yet they are receiving full access to the network. Once connected if I do a Repair or a Ipconfig/release then a renew then they revert to restricted access. If I unplug and then plug in the network cable or reboot they once again receive full access until I again do a Repair or ipconfig/release then renew. Everything else is working as I want.
Answers
- Lefty777,
Thanks for posting the event logs. The events all say that the policy that was matched is the Non-NAP capable policy:
Network Policy Name: NAP DHCP Non NAP-Capable
None of the events evaluate a client as compliant or non-compliant. In order to match one of these health states, the client must be NAP-capable. When it is non-NAP capable (because NAP agent is not running) it is quarantined because you have configured the non-NAP capable policy's "NAP enforcement" setting to provide limited network access. This is expected.
The problem you are seeing is due to a recently reported bug that only affects XP SP3 non-NAP capable clients using DHCP enforcement. We are investigating the cause. It may be a client side problem or an issue on the DHCP server. I'll update this thread if additional details or fixes become available. The only solution available at this time is to allow the client to renew its DHCP lease.
-Greg- Edited byGreg LindsayMSFT, OwnerSunday, June 28, 2009 10:41 PMdetail
- Marked As Answer byGreg LindsayMSFT, OwnerSunday, June 28, 2009 10:41 PM
All Replies
- I should add a little more information. If I check the DHCP server it tells me NAP is ON for this machine. If I check the NAP logs in tells me this computer is quarantined yet it still has full network access until the Repair or release/renew is done then it acts as it should, with restricted access.
- Hi,
Is the client running XP SP3?
-Greg - Yes it is.
Hi,
The reason I ask is I've seen this issue before only with XP SP3 and DHCP enforcement - usually the first time a non-NAP capable client joins the network. You can also see it 50% of the time if you manually release and renew the IP address. It never happens if the client renews its DHCP lease normally, or if NAP agent is running.
You can confirm this is the same problem by reviewing the NPS event log. When a DHCP client requests network access in a NAP DHCP scenario, there must be an access request recorded. NPS will then accept/deny/restrict the client based on the contents of the request (health, computer group, etc). Even if the client is non-NAP capable, there should be a record of the DHCP request.
However, sometimes when a non-NAP capable XP SP3 client sends the first request this isn't processed at all by NPS. The result is that the DHCP server simply provides a typical IP address configuration. You can confirm this by looking at the NPS event log to see that no access request was logged.
We are already looking at this issue, but if this is indeed your problem then additional reports help. Can you confirm that no NPS events are recorded when this occurs? View NPS events at Custom Views\Server Roles\Network Policy and Access Services.
Thanks,
-GregI am pasting in the 4 log entries I get for this computer, as I get with any computer, they all show as Non Nap-capaple at first and then change to either Compliant or Non-compliant depending on their health state, they all change to a Result of Full Access as they should. This one shows as quarantined all the way thru despite getting full access. It looks to me as it should, but will let you examine it. You are right about the 50% also. I can do a release/renew, one time it restricts it, the next time it allows it, and back and forth it goes, even though the logs are the same each time. I also am having problems with computers being put in an Exception group not being processed as exceptions and being restricted instead of being allowed access but I figure I will tackle this problem first before moving on, maybe there is a common fix for both.
Here are the log entries. I should add, I have pasted the log entries in the order they get logged, so the first one you read is the first log entry posted.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 6/25/2009 7:47:43 AM
Event ID: 6272
Task Category: Network Policy Server
Level: Information
Keywords: Audit Success
User: N/A
Computer: LEG-FS1.gnb.ca
Description:
Network Policy Server granted access to a user.User:
Security ID: NULL SID
Account Name: -
Account Domain: -
Fully Qualified Account Name: -Client Machine:
Security ID: NULL SID
Account Name: leg-co489486
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 142.139.19.0
Calling Station Identifier: 001422EDA6CCNAS:
NAS IPv4 Address: 142.139.19.161
NAS IPv6 Address: -
NAS Identifier: LEG-FS1
NAS Port-Type: Ethernet
NAS Port: -RADIUS Client:
Client Friendly Name: -
Client IP Address: -Authentication Details:
Proxy Policy Name: NAP DHCP
Network Policy Name: NAP DHCP Non NAP-Capable
Authentication Provider: Windows
Authentication Server: LEG-FS1.gnb.ca
Authentication Type: Unauthenticated
EAP Type: -
Account Session Identifier: 323732393137363738Quarantine Information:
Result: Quarantined
Session Identifier: -Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>6272</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12552</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2009-06-25T10:47:43.855Z" />
<EventRecordID>149022</EventRecordID>
<Correlation />
<Execution ProcessID="712" ThreadID="6220" />
<Channel>Security</Channel>
<Computer>LEG-FS1.gnb.ca</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="FullyQualifiedSubjectUserName">-</Data>
<Data Name="SubjectMachineSID">S-1-0-0</Data>
<Data Name="SubjectMachineName">leg-co489486</Data>
<Data Name="FullyQualifiedSubjectMachineName">-</Data>
<Data Name="MachineInventory">-</Data>
<Data Name="CalledStationID">142.139.19.0</Data>
<Data Name="CallingStationID">001422EDA6CC</Data>
<Data Name="NASIPv4Address">142.139.19.161</Data>
<Data Name="NASIPv6Address">-</Data>
<Data Name="NASIdentifier">LEG-FS1</Data>
<Data Name="NASPortType">Ethernet </Data>
<Data Name="NASPort">-</Data>
<Data Name="ClientName">-</Data>
<Data Name="ClientIPAddress">-</Data>
<Data Name="ProxyPolicyName">NAP DHCP</Data>
<Data Name="NetworkPolicyName">NAP DHCP Non NAP-Capable</Data>
<Data Name="AuthenticationProvider">Windows </Data>
<Data Name="AuthenticationServer">LEG-FS1.gnb.ca</Data>
<Data Name="AuthenticationType">Unauthenticated </Data>
<Data Name="EAPType">-</Data>
<Data Name="AccountSessionIdentifier">323732393137363738</Data>
<Data Name="QuarantineState">Quarantined </Data>
<Data Name="QuarantineSessionIdentifier">-</Data>
</EventData>
</Event>Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 6/25/2009 7:47:43 AM
Event ID: 6272
Task Category: Network Policy Server
Level: Information
Keywords: Audit Success
User: N/A
Computer: LEG-FS1.gnb.ca
Description:
Network Policy Server granted access to a user.User:
Security ID: NULL SID
Account Name: -
Account Domain: -
Fully Qualified Account Name: -Client Machine:
Security ID: NULL SID
Account Name: leg-co489486
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 142.139.19.0
Calling Station Identifier: 001422EDA6CCNAS:
NAS IPv4 Address: 142.139.19.161
NAS IPv6 Address: -
NAS Identifier: LEG-FS1
NAS Port-Type: Ethernet
NAS Port: -RADIUS Client:
Client Friendly Name: -
Client IP Address: -Authentication Details:
Proxy Policy Name: NAP DHCP
Network Policy Name: NAP DHCP Non NAP-Capable
Authentication Provider: Windows
Authentication Server: LEG-FS1.gnb.ca
Authentication Type: Unauthenticated
EAP Type: -
Account Session Identifier: 323732393137363738Quarantine Information:
Result: Quarantined
Session Identifier: -Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>6272</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12552</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2009-06-25T10:47:43.855Z" />
<EventRecordID>149023</EventRecordID>
<Correlation />
<Execution ProcessID="712" ThreadID="6220" />
<Channel>Security</Channel>
<Computer>LEG-FS1.gnb.ca</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="FullyQualifiedSubjectUserName">-</Data>
<Data Name="SubjectMachineSID">S-1-0-0</Data>
<Data Name="SubjectMachineName">leg-co489486</Data>
<Data Name="FullyQualifiedSubjectMachineName">-</Data>
<Data Name="MachineInventory">-</Data>
<Data Name="CalledStationID">142.139.19.0</Data>
<Data Name="CallingStationID">001422EDA6CC</Data>
<Data Name="NASIPv4Address">142.139.19.161</Data>
<Data Name="NASIPv6Address">-</Data>
<Data Name="NASIdentifier">LEG-FS1</Data>
<Data Name="NASPortType">Ethernet </Data>
<Data Name="NASPort">-</Data>
<Data Name="ClientName">-</Data>
<Data Name="ClientIPAddress">-</Data>
<Data Name="ProxyPolicyName">NAP DHCP</Data>
<Data Name="NetworkPolicyName">NAP DHCP Non NAP-Capable</Data>
<Data Name="AuthenticationProvider">Windows </Data>
<Data Name="AuthenticationServer">LEG-FS1.gnb.ca</Data>
<Data Name="AuthenticationType">Unauthenticated </Data>
<Data Name="EAPType">-</Data>
<Data Name="AccountSessionIdentifier">323732393137363738</Data>
<Data Name="QuarantineState">Quarantined </Data>
<Data Name="QuarantineSessionIdentifier">-</Data>
</EventData>
</Event>Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 6/25/2009 7:47:43 AM
Event ID: 6276
Task Category: Network Policy Server
Level: Information
Keywords: Audit Success
User: N/A
Computer: LEG-FS1.gnb.ca
Description:
Network Policy Server quarantined a user.Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: -
Account Domain: -
Fully Qualified Account Name: -Client Machine:
Security ID: NULL SID
Account Name: leg-co489486
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 142.139.19.0
Calling Station Identifier: 001422EDA6CCNAS:
NAS IPv4 Address: 142.139.19.161
NAS IPv6 Address: -
NAS Identifier: LEG-FS1
NAS Port-Type: Ethernet
NAS Port: -RADIUS Client:
Client Friendly Name: -
Client IP Address: -Authentication Details:
Proxy Policy Name: NAP DHCP
Network Policy Name: NAP DHCP Non NAP-Capable
Authentication Provider: Windows
Authentication Server: LEG-FS1.gnb.ca
Authentication Type: Unauthenticated
EAP Type: -
Account Session Identifier: 323732393137363738Quarantine Information:
Result: Quarantined
Extended-Result: -
Session Identifier: -
Help URL: -
System Health Validator Result(s): -Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>6276</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12552</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2009-06-25T10:47:43.855Z" />
<EventRecordID>149024</EventRecordID>
<Correlation />
<Execution ProcessID="712" ThreadID="6220" />
<Channel>Security</Channel>
<Computer>LEG-FS1.gnb.ca</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="FullyQualifiedSubjectUserName">-</Data>
<Data Name="SubjectMachineSID">S-1-0-0</Data>
<Data Name="SubjectMachineName">leg-co489486</Data>
<Data Name="FullyQualifiedSubjectMachineName">-</Data>
<Data Name="MachineInventory">-</Data>
<Data Name="CalledStationID">142.139.19.0</Data>
<Data Name="CallingStationID">001422EDA6CC</Data>
<Data Name="NASIPv4Address">142.139.19.161</Data>
<Data Name="NASIPv6Address">-</Data>
<Data Name="NASIdentifier">LEG-FS1</Data>
<Data Name="NASPortType">Ethernet </Data>
<Data Name="NASPort">-</Data>
<Data Name="ClientName">-</Data>
<Data Name="ClientIPAddress">-</Data>
<Data Name="ProxyPolicyName">NAP DHCP</Data>
<Data Name="NetworkPolicyName">NAP DHCP Non NAP-Capable</Data>
<Data Name="AuthenticationProvider">Windows </Data>
<Data Name="AuthenticationServer">LEG-FS1.gnb.ca</Data>
<Data Name="AuthenticationType">Unauthenticated </Data>
<Data Name="EAPType">-</Data>
<Data Name="AccountSessionIdentifier">323732393137363738</Data>
<Data Name="QuarantineState">Quarantined </Data>
<Data Name="ExtendedQuarantineState">-</Data>
<Data Name="QuarantineSessionID">-</Data>
<Data Name="QuarantineHelpURL">-</Data>
<Data Name="QuarantineSystemHealthResult">-</Data>
</EventData>
</Event>Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 6/25/2009 7:47:43 AM
Event ID: 6276
Task Category: Network Policy Server
Level: Information
Keywords: Audit Success
User: N/A
Computer: LEG-FS1.gnb.ca
Description:
Network Policy Server quarantined a user.Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: -
Account Domain: -
Fully Qualified Account Name: -Client Machine:
Security ID: NULL SID
Account Name: leg-co489486
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 142.139.19.0
Calling Station Identifier: 001422EDA6CCNAS:
NAS IPv4 Address: 142.139.19.161
NAS IPv6 Address: -
NAS Identifier: LEG-FS1
NAS Port-Type: Ethernet
NAS Port: -RADIUS Client:
Client Friendly Name: -
Client IP Address: -Authentication Details:
Proxy Policy Name: NAP DHCP
Network Policy Name: NAP DHCP Non NAP-Capable
Authentication Provider: Windows
Authentication Server: LEG-FS1.gnb.ca
Authentication Type: Unauthenticated
EAP Type: -
Account Session Identifier: 323732393137363738Quarantine Information:
Result: Quarantined
Extended-Result: -
Session Identifier: -
Help URL: -
System Health Validator Result(s): -Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>6276</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12552</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2009-06-25T10:47:43.855Z" />
<EventRecordID>149025</EventRecordID>
<Correlation />
<Execution ProcessID="712" ThreadID="6220" />
<Channel>Security</Channel>
<Computer>LEG-FS1.gnb.ca</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="FullyQualifiedSubjectUserName">-</Data>
<Data Name="SubjectMachineSID">S-1-0-0</Data>
<Data Name="SubjectMachineName">leg-co489486</Data>
<Data Name="FullyQualifiedSubjectMachineName">-</Data>
<Data Name="MachineInventory">-</Data>
<Data Name="CalledStationID">142.139.19.0</Data>
<Data Name="CallingStationID">001422EDA6CC</Data>
<Data Name="NASIPv4Address">142.139.19.161</Data>
<Data Name="NASIPv6Address">-</Data>
<Data Name="NASIdentifier">LEG-FS1</Data>
<Data Name="NASPortType">Ethernet </Data>
<Data Name="NASPort">-</Data>
<Data Name="ClientName">-</Data>
<Data Name="ClientIPAddress">-</Data>
<Data Name="ProxyPolicyName">NAP DHCP</Data>
<Data Name="NetworkPolicyName">NAP DHCP Non NAP-Capable</Data>
<Data Name="AuthenticationProvider">Windows </Data>
<Data Name="AuthenticationServer">LEG-FS1.gnb.ca</Data>
<Data Name="AuthenticationType">Unauthenticated </Data>
<Data Name="EAPType">-</Data>
<Data Name="AccountSessionIdentifier">323732393137363738</Data>
<Data Name="QuarantineState">Quarantined </Data>
<Data Name="ExtendedQuarantineState">-</Data>
<Data Name="QuarantineSessionID">-</Data>
<Data Name="QuarantineHelpURL">-</Data>
<Data Name="QuarantineSystemHealthResult">-</Data>
</EventData>
</Event>- Hi,
Yes, This behaviour has been noticed at my set up too. Client Getting 50% of times Full access despite client being Quarantined. This is only on XP S3 Clients - Lefty777,
Thanks for posting the event logs. The events all say that the policy that was matched is the Non-NAP capable policy:
Network Policy Name: NAP DHCP Non NAP-Capable
None of the events evaluate a client as compliant or non-compliant. In order to match one of these health states, the client must be NAP-capable. When it is non-NAP capable (because NAP agent is not running) it is quarantined because you have configured the non-NAP capable policy's "NAP enforcement" setting to provide limited network access. This is expected.
The problem you are seeing is due to a recently reported bug that only affects XP SP3 non-NAP capable clients using DHCP enforcement. We are investigating the cause. It may be a client side problem or an issue on the DHCP server. I'll update this thread if additional details or fixes become available. The only solution available at this time is to allow the client to renew its DHCP lease.
-Greg- Edited byGreg LindsayMSFT, OwnerSunday, June 28, 2009 10:41 PMdetail
- Marked As Answer byGreg LindsayMSFT, OwnerSunday, June 28, 2009 10:41 PM
- I am also seeing the same pattern on XP SP3
I'm working with very basic DHCP based rules based on the article "Geek of all Trades Control network Access Using DHCP Enforcement"
If you run napstat.exe on the client...it thinks everything is good, and its not.
Is there better logging on the server side? Does anyone have details on how to read the accounting logs? - Is there a fix for XP SP3 clients or is this fixed in 2008 R2 DHCP servers?
- Hi,
To answer tklose's question about logging, the best way to interpret client status is with SQL logging. We are working on making this simpler to implement, but for now you must create a SQL database, table, and stored procedure. I provided some example commands for this in this thread, and I've reproduced it below for you also.
USE [master]
CREATE DATABASE [NPSXML] ON PRIMARY
(NAME = N'NPSXML', FILENAME = N'D:\NPSSQL\NPSXML.mdf’)
LOG ON (NAME = N'NPSXML_log', FILENAME = N'D:\NPSSQL\NPSXML_log.LDF')
USE [NPSXML]
CREATE TABLE [dbo].[NPS_Packets] ([PacketTime] [datetime] NOT NULL DEFAULT (getutcdate()),
[NPS_Attributes] [xml] NOT NULL) ON [PRIMARY]
CREATE PROCEDURE [dbo].[Report_Event]
(@doc nvarchar(max))
AS
INSERT INTO NPS_Packets (PacketTime, NPS_Attributes)
VALUES (GETUTCDATE(), @doc)
To answer MyGposts, question, there isn't a fix yet. I've just updated the bug with more information. Please add any information you can about how this problem is affecting your NAP deployment. This will help to expedite a hotfix.
-Greg - I would think the fact that there are known bugs in NAP would be enough to expedite a hotfix.
- We were planning to upgrade our domain from 2003 to 2008 and DHCP enforcement was one of the most important reasons why. The majority of clients will be XPSP3, so this is a complete show stopper. We are not going forward with the domain upgrade at all until this is resolved.
- I have the same problems when i test with ws08-R2...
Anyone solved this problem?
Marcos Vinícios Wasem Ferreira da Costa [ MCP / MCSA / MCSA+S / MCSE / MCSE+S ] - Hi all,
Read through all of yours message and got the answer that NAP with XP SP3 have know bug issue.
May i know where can i see the update infromation/hotfix, for this problem . Our company also want to control user network access by antivirus.
Regard,
Vincent - Hi,
There is not a hotfix available for this yet. A workaround would be to use ipconfig/renew in the logon script for XP computers only, but I know this is not ideal.
I believe the problem is still under investigation, but I have notified the product group that handles this of your request.
-Greg - Finally, i've got a test with those NAP supported client platform Window XP SP3,Window Vista, Winodw 7 and One Non supported platform Winodw XP SP2...
My enviroment is as follow...
Window 2003 Role: DC + DNS
Window 2008 Role: NAP Server + DHCP Server
Window XP SP3 Role: Client without AntiVirus Client
Window Vista Role:Client with AntiVirus Symantec Endpoint 11 Client
Window 7 Role:Client with AntiVirus AVG Free Edition 9.0
Such that the result i've got is
Window XP SP2 ....match the expected result that it does not have NAP agent , and it never got a Health IP *Even do ipconfig /release + renew
Window XP SP3 ....match the expected result that this version have known bug issue , no matter disable the NAP agent , client status is match or no match of the SHVs , client can get the Health/Limited IP after they do ipconfig /release + renew
Window Vista ....match the expected result and it support with Symantec Endpoint 11 Client
Window 7 .....match the expected result and it support with AVG Free Edition 9.0
It's a great technology but just very hope that to fix XP SP3 issue ....otherwise i will thinks that NAP is NOT support in XP!!!!
P.S If the situation like that , i think it is better to make XP SP3 Client same as XP SP2 result....that...make me feel normal....
P.S.2 Thanks Greg answer !
P.S.3 Did anybody know a list for antivirus support client in NAP, or i need to test one by one?
Regards and thanks,
Vincent
